Implementing the Protection of Personal Information Act 4 of 2013 (POPIA) requirements has taken South Africa by storm. Last-minute registrations of Information Officers with the Information Regulator has overwhelmed the online portal to such an extent that it has become inoperable, forcing responsible parties to email completed pdf registration forms to the regulator. 

Although the Covid-19 pandemic has rightly been the dominant focus for healthcare practitioners, implementing the POPIA requirements is something that every healthcare practice must pursue.

Confidentiality is only one of the requirements of the POPIA. Therefore, practitioners must understand what needs to be in place to be POPIA compliant. Compliance is not a one-time-box-ticking exercise. A new culture must be established and maintained in the practice.

Table of Contents 

  • Where to Start? 
  • Registering your Information Officer with the Information Regulator 

Where to Start? 

The first thing to do is to become familiar with the act. A lack of understanding of the act will create dangerous non-compliance, fear or vulnerability to being bullied into acquiring unnecessary products or services. Furthermore, most of the requirements can be implemented by the practice without any assistance from third parties. 

Click here to register for GoodX’s 90-minute online CPD-accredited course on the provisions of the POPIA. 

GoodX POPIA Compliance Framework wheel

After understanding the requirements of the act, the practice can start with a systematic process of implementation. This compliance framework diagram has divided the requirements into four stages of implementation:

  1. The establish compliance stage – how to get your POPIA ducks in a row;
  2. The collection stage;
  3. The compliance continuity stage – since the POPIA is not a one-time-box-ticking exercise; and
  4. The post-use stage – what to do with old information;

Each stage contains specific categories that group requirements together. In the diagram, the first stage’s first category is the Information Officer.

Registering your Information Officer with the Information Regulator

The following step-by-step action map summarises the first category’s requirements. Click here to download the rest of the action maps as a FREE booklet. (The book “An introduction to the protection of personal information in the healthcare practice” included in the above online CPD-accredited course contains detailed information on the items included in the action maps.)

GoodX POPIA Compliance Framework - Establish Compliance

The registration process at the Information Regulator is compulsory for all businesses that process Personal Information. All healthcare practices, therefore, have to register their Information Officer at the Information Regulator. 

The designated person will be the owner of the business or the CEO of an Incorporated company. A partnership has to elect one of the senior partners to become the Information Officer. Large practices can appoint Deputy Information Officers (DIOs) to assist the Information Officer with practicalities.

The practice can officially appoint the Information Officer (and DIO) on a letterhead and save the document with other compliance documents. If a data breach does occur, for example, as a result of ransomware, the Information Officer must notify the Information Regulator about the breach.

Information Officers can click here to register on the official website of the Information Regulator. If the online registration portal is out of order, you can download the PDF document there and send the completed document to the email address provided on their website. Just keep a record of the email sent to the Information Regulator so that you can prove that you have registered.

Registrations should have been completed by 30 June 2021. However, it is never too late. If you have not yet registered, do so as soon as possible. Furthermore, you should continue to systematically implement the requirements of the POPIA so that you will not be vulnerable to legal action, either from the regulator or patients.


  • RP – Responsible Party
  • IO – Information Officer
  • DIO – Deputy Information Officer
  • PI – Personal Information
  • DS – Data Subject (most often the patient)
  • IR – Information Regulator